Personal data security, and the 4 lessons we can take from the Medicare data breach

In July 2017, it was revealed that Medicare card details were being sold on the “dark web”, by a vendor who claimed to have access to every Australian’s Medicare card details, and could supply them on request, amounting to a serious data breach. The story was broken by The Guardian Australia, after one of its journalists, Paul Farrell, confirmed this claim by purchasing details of his own Medicare card for the paltry sum of around $30.

Alan Tudge, the Human Services minister at the time (notably, Tudge has recently been replaced by Michael Keenan, who will also serve as the Minister Assisting the Prime Minister for Digital Transformation) quickly jumped to assure the public that this wasn’t in fact “a cybersecurity attack as such”, but rather “traditional criminal activity” – that is, someone had used a legitimate access point for unauthorised purposes. “We’ve had such traditional criminal activity in the past, for example, where someone has literally broken into a doctor’s clinic to seize Medicare card numbers, which they would then try and use for fraudulent purposes,” he said to ABC Breakfast’s Fran Kelly, just two days after the report.

Tudge’s claim that this breach was the result of “traditional criminal activity” seems to imply that this is not a cybersecurity issue, but this assertion is very much misplaced. Indeed, access control lies squarely in the realm of cybersecurity – and just a few simple measures could help prevent such data breaches.

Here are the 4 lessons that can be taken away from the Medicare data breach and applied to your own organisations.

1. Have stringent monitoring processes

Tudge openly admitted that the department had been unaware of the darknet vendor, who had been operating since October 2016, until the Guardian broke the story. “We first found out about it yesterday because of the Guardian newspaper article,” he said on 5 July 2017. “Immediately upon hearing this claim, as we always do when there is a claim of criminal activity or fraud, the AFP is alerted and we undertake an internal investigation.”

It is thought that the breach occurred via a registered account for DHS’ HPOS Medicare verification service, used by healthcare providers throughout the country, but monitoring such a system, which is accessed around 45,000 times per day, is certainly no mean feat. According to deputy secretary Caroline Edwards, there are “163,000-odd potential ways into HPOS”, making it highly difficult to identify the individual responsible.

Now consider your own organisation: how long do you think it would take you to identify a potential breach? Could an individual get away with unauthorised use of information for weeks, or even months?

It’s important to have stringent and regular monitoring processes in place to help you identify unusual activity and quickly locate the source of a breach. Some government agencies and private organisations that handle sensitive information even monitor popular dark web sites, to ensure their information hasn’t been leaked.

Such simple measures – regularly renewing accounts, suspending inactive accounts, and having additional layers of authentication on top of usernames and passwords – can help to limit the risk of data breaches at your own organisation. And while advanced measures like tokenisation and encryption may be all the rage, sometimes you just need to ensure you’ve got the basics downpat. “Something as simple as strong and readily enforced password management policies, such as requiring passwords to be long and complex, keeping them unique to certain applications or systems and regularly changing them throughout the year, could save a company from a data breach,” says Kevin Cunningham, president and co-founder of SailPoint.

3. Consider how the data is stored

Another vulnerability that the Medicare data breach exposed was the risk of having sensitive data stored in big, centralised repositories. “The chances of 100 per cent securing a system with 100,000 access points against being hacked is close to zero,” said medical IT specialist Paul Power. “The weakness of the whole system is only as strong as its weakest link.”

My Health Record, which Australians will have to opt out of starting from this year, will similarly be stored in a centralised location, which, says Power, is asking for trouble. “The kind of breach that has evidently happened with the Medicare data can – and almost certainly will – happen with the My Health Record data if we go ahead and host it on this same kind of centralised depository,” he said to the Sydney Morning Herald.

Power recommends following in Germany’s footsteps, and having a decentralised model where people’s master data is stored on personalised cards and backed up on an individual consulting doctor’s computer.

Is your data being put at risk by being stored in a central repository? What is the weakest link in your security system?

“Unfortunately, we are plagued by a culture at all levels of government to ‘spin’ the message, including events related to cybersecurity,” his submission said.

“There is nothing good to come from this in the long term. Considered use of language to clearly communicate cybersecurity issues is critical, particularly in response to cyber incidents. Effectively communicating cybersecurity concepts can build confidence, provide assurance and convey opportunity.

“It can be the difference in whether management of a cyber incident, such as the one being investigated by the committee, is perceived as a success or failure.”

If your organisation is unlucky enough to fall prey to a data breach (and, inevitably, many will be), perhaps the worst thing you can do is try to cover it up. Any breaches should be communicated to stakeholders quickly, clearly and honestly, as this will help to restore trust in the system.

The long-ranging consequences of data breaches

“This feeling – this sense emerging of governments just not being very good at handling data – has many follow-on consequences. It erodes public trust. It costs money and time. It deters good people from getting involved to help build robust, intuitive digital services. Good people working on government projects leave.

“It sets a precedent for how future automated systems might be designed and implemented. It makes people suspicious of genuinely useful technologies and tools designed to safeguard our data.